When IBM CEO Ginni Rometty joined Red Hat CEO Jim Whitehurst on stage at last month’s Red Hat Summit to declare that IBM would leave Red Hat alone after its acquisition, cheers went up from the developers in the keynote audience.
Their fear, of course, was that IBM would somehow change Red Hat and move it away from its open-source roots. The same fears were expressed when Microsoft acquired GitHub, the leading open-source software development platform in the world, but that has worked out fine so far.
When Microsoft drops US$7.5 billion for GitHub, and when IBM plunks down $33.4 billion for Red Hat, it proves that enterprises large and small have embraced open source. It has become big business. In fact, many software providers today are following the model of selling commercial versions of open-source software, which comes with support, vetted updates and the assumption that it is secure. Developers, though, often just grab the components they need from a public repository, unaware of vulnerabilities that might lie within.
In other, not unrelated news, Facebook is leaking more data, as access to the company’s huge data trove was gained through a public AWS database. And in late 2017, credit reporting giant Equifax lost data through a breach in an open-source Apache web server, affecting 148 million users of the service. A simple patch could have prevented that breach, but it fell through the cracks.
Furthermore, a year into the General Data Protection Regulation (GDPR) — and with California data privacy laws in place and growing calls for nationwide data protection laws in the United States — organizations are spending a lot of time and big money on understanding how they got a customer’s PII, where it’s stored and how it’s being used. This, at the risk of hefty fines in the case of the GDPR, and likely attached to any federal legislation here in the U.S.
To quote Vincent LaGuardia Gambini from the film classic My Cousin Vinny, “Is there any more [stuff] that we can pile on to the top of the outcome of this case?”
Wait… there’s more.
Organizations are still fed the line that they must go faster to survive. To help developers achieve top speed, new software architectures such as microservices, containers, serverless and infrastructure-as-code have risen. Of course, another way developers work faster is to rely on open-source components to build their applications. This has only added more complexity into IT and business systems, making them harder to test, maintain and find defects and vulnerabilities. It also has made them more susceptible to data loss.
What’s it all mean? It means that in today’s software industry, companies are at risk of losing data, losing proprietary intellectual property, and losing business because of these converging initiatives.
Taken individually, these initiatives all offer tremendous benefits to developers and their organizations.
Open-source software helps developers work faster and smarter, as they don’t have to ‘re-invent the wheel’ every time create an application. They just need to be sure the license attached to that software allows them to use the component the way they want. They also need to stay on top of that application, so if the component changes, or an API changes, their application isn’t affected and they are still in compliance.
Data protection is also something organizations must get serious about. While the GDPR only affects users in the European Union, it’s only a matter of time before those or similar regulations are in place in the U.S. and elsewhere. Companies should get a jump on that by doing a thorough audit of their data, to know they are prepared to be compliant with whatever comes down from the statehouses or from Washington, D.C.
On the speed side, the benefits of Agile and DevOps are clear. These methodologies enable companies to bring new software products to market faster, with the result of getting a jump on the competition, working more efficiently and ultimately serving your customers.
Unfortunately, these efforts are usually done by different teams of developers, database administrators and security experts. If the Equifax and Facebook breaches have taught us anything, it’s that you can’t expect developers to be security experts, and you can’t expect DB admins to understand the ramifications on the business when data is misunderstood.
It will take a coordinated approach to IT to achieve business goals while not leaving the company — and its IP and PII data — exposed.